New Linux Kernel Patched

There is a new point release Linux kernel that comes barely two weeks after 2.6.15 was released and fixes at least three different vulnerabilities.
The first Linux kernel of the year gets a point upgrade as work continues on the
next version.

Security firm Secunia has rated the three vulnerabilities as "moderately critical"; the potential impact could be a Denial of Service (DoS) attack against a vulnerable system.

The first vulnerability, CVE-2006-0035, describes a flaw that could trigger an infinite loop that a malicious user could potentially exploit as a DoS attack.

A patch for CVE-2006-0036, the second vulnerability, fixes a crash in ip_nat_pptp.

"When an inbound PPTP_IN_CALL_REQUEST packet is received the PPTP NAT helper uses a NULL pointer in pointer arithmetic to calculate the offset in the packet which needs to be mangled and corrupts random memory or crashes," according to the changelog for 2.6.15.1, the latest point release.

The final vulnerability, CVE-2006-0037, is similar to CVE-2006-0036 in that it describes another crash condition in ip_nat_pptp.

Patching a recently released Linux kernel is certainly nothing new.

The 2.6.13 kernel was similarly patched two weeks after being released.

The 2.6.12 Linux kernel was patched just days after its release to address a number of flaws.

Work continues on the next Linux kernel.

Linux creator Linus Torvalds has recently issued the first release candidate of the 2.6.16 kernel. The new release candidate includes changes that Torvalds in a mailing list posting describe as being, "all over the map."